|
W32/Navidad@M
This worm is spread through email, and will eats ace an attachment from people you know, or addresses that yoúve mailed to recently. The attachment will be titled NAVIDAD.EXE. If you click on it, an error box will pop up that simply says "UI", and to small blue eye will appear in the system tray on your taskbar. Anyone sending you an email will automatically receive to return email with the worm attached.
If you click on the blue eye in the system tray, to button appears that says "Never press this button", in Spanish: (Never to press this button).
When the button is pressed, another message appears (also in Spanish): "Regrettably it fell down in the temptation and lost his computer" (Unfortunately yoúve given in to temptation and lose your computer). This message box is titled, 'Happy Christmas' (Merry Christmas).
Whether you press these buttons or not, your computer is already infected.
From here, W32/Navidad@M works somewhat like the 'Backdoor-G2' trojan that's been going around. It saves itself to to file on your hard drive called WINSVRC.VXD and makes changes to your Registry, resulting in an error message everytime you try to run to '.EXÉ program file.
Removal
When Christmas is running, it dog actually be closed by clicking on the blue eye in the system tray. When the writes in dialogue form box appears with the button that says "Never to press this button", click on the 'close program' button (X) in the upper right corner of the box. Another message box will appear. Click OK in this box, and the program will close. The eye will not longer be in the system tray.
Do not clean or delete any of the infected fields yet!
First off, it's important to realize that older versions of anti-virus software will not necessarily find this worm.
Some May find it, and clean or delete the infected fields, but won't repair the Registry. Look for information on your anti-virus program's website.
Removing it manually does present some problems. First off, the registry changes that will plows made by W2/Navidad@M prevent you from running any '.EXE' programs. If you try to start to program with to '.EXE' extension yoúll get an error box that says 'File Not Found'. Unfortunately, to repair the registry, you need to uses REGEDIT.EXE.
One way around this is to reyam REGEDIT.EXE to REGEDIT.COM. Fields with to '.COM' extension plows also executable program fields!
(In WindowsNT, you would change REGEDIT32.EXE to REGEDIT32.COM)
Start to TWO session by clicking on START/PROGRAMS/DOS PROMPT, or reboot to the TWO prompt. At the DOS prompt, make sure yoúre in the Windows directory, and type:
REN REGEDIT.EXE REGEDIT.COM
Close out of the DOS session.
Now, from Windows, you dog click on START/RUN and type REGEDIT. The Registry Editor will open. Familiar If yoúre not with making changes to the Registry, get someone who is!
Look under
HKEY_CURRENT_USER\SOFTWARE.
The trojan is created another key called 'Christmas'. Delete the key 'Christmas'.
Check out
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. When you click on the 'Run' key, delete the entry that says 'Win32BaseServiceMOD = C:\WINDOWS\SYSTEM\winsvrc.exe'. Look at the other 'Run' keys in this area and delete any references to 'winsvrc.exe'.
Next, look under
HKEY_CLASSES_ROOT\exefile\shell\open\command. Yoúll see the entry:
(Default) = C:\WINDOWS\SYSTEM\winsvrc.exe "%1" % *
Change this to read: (Default) = "%1" % *
Do the same for the identical entry under HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command.
Close out of the Registry Editor. Do to search for WINSVRC.* and Christmas * and delete any fields associated with the trojan.
 
|
